Hello!
I have inherited a FreeIPA server, and upon checking the certificate list with getcert list, it shows that the certificate is already expired. Does anyone know how to renew it? And coz of this issue, I am not able to enroll any any clients. Any help would be appreciated.
Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST.DOMAIN.COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com@TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes
azeem via FreeIPA-users wrote:
Hello!
I have inherited a FreeIPA server, and upon checking the certificate list with getcert list, it shows that the certificate is already expired. Does anyone know how to renew it? And coz of this issue, I am not able to enroll any any clients. Any help would be appreciated.
Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST.DOMAIN.COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com@TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes
You have more certificates expired than just this one. I would expected ther are a number of CA-related certificates also expired. The number of tracked certificates should be more than 8 (if using getcert and not ipa-getcert).
What version of IPA is this on what distro?
rob
Hi Rob,
Thanks for you reply. FreeIPA, version: 4.2.0 - Centos 7 And yes are right. Here's the list of all the certifficates :-
getcert list Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes Request ID '20160825202951': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Audit,O=TEST.DOMAIN.COM expires: 2023-06-29 10:17:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202952': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=OCSP Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:09 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202954': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=Certificate Authority,O=TEST-DOMAIN-COM expires: 2035-10-30 19:52:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202955': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-04-23 15:52:18 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825203104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-10-14 20:01:14 UTC principal name: HTTP/test.domain.com@TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20160825203110': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=IPA RA,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
azeem via FreeIPA-users wrote:
Hi Rob,
Thanks for you reply. FreeIPA, version: 4.2.0 - Centos 7 And yes are right. Here's the list of all the certifficates :-
getcert list Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes Request ID '20160825202951': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Audit,O=TEST.DOMAIN.COM expires: 2023-06-29 10:17:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202952': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=OCSP Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:09 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202954': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=Certificate Authority,O=TEST-DOMAIN-COM expires: 2035-10-30 19:52:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202955': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-04-23 15:52:18 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825203104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-10-14 20:01:14 UTC principal name: HTTP/test.domain.com@TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20160825203110': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=IPA RA,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
You're running such an old version of RHEL and IPA that you're going to need to do this the hard way.
Some of the certs expired nearly a year ago.
I'd recommend, if you can, snapshot the system so you can recover if anything goes awry.
What you're going to need to do is stop ntpd and go back in time to 2023-06-28. Once you do that run ipactl restart. That will hopefully bring all the services back up and operational.
See if this host is the renweal master: ipa config-show
If it is then proceed. If not you'll need to set it as the renewal master: ipa config-mod --ca-renewal-master-server=<this FQDN>
Restart certmonger and then watch to see if the renewals happen.
getcert list | grep status
The certs should go into SUBMITTING and eventually hopefully MONITORING. It may be a bumpy ride as the certs need to renew one at a time and there will be a lot of service restarts so it may take a while.
Assuming all the certs renew then you can come back to present time, ipactl restart, and things should work for another year.
rob
Thank you, Rob. As this is a production server, I will make the changes as you suggested. I will do it over the weekend and let you know.
Hi Rob,
Apologies for the late response. I have set the server time back to 2023-06-23 and when i am running the command - ipa config-show , I am getting :-
ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/
And when i am doing kinit user , i am getting :- kinit: Generic error (see e-text) while getting initial credentials
The getcert list command shows :- Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Generic error (see e-text). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes
Please advice.
azeem via FreeIPA-users wrote:
Hi Rob,
Apologies for the late response. I have set the server time back to 2023-06-23 and when i am running the command - ipa config-show , I am getting :-
ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/
And when i am doing kinit user , i am getting :- kinit: Generic error (see e-text) while getting initial credentials
The getcert list command shows :- Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Generic error (see e-text). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes
Please advice.
While back in time you need to restart the IPA services.
rob
Hi Rob,
I restarted the IPA services. After that, when I run 'ipa config-show', I am getting the following error.
ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/
azeem via FreeIPA-users wrote:
Hi Rob,
I restarted the IPA services. After that, when I run 'ipa config-show', I am getting the following error.
ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/
Did you kinit back in time with the KDC running?
I assume that all the services started ok?
rob
Unfortunately, I am not able to execute 'kinit user'; I am encountering the following error: kinit: Generic error (see e-text) while getting initial credentials
And yes, all the services started correctly.
freeipa-users@lists.fedorahosted.org